Protecting yourself against the Wordpress login page exploit @ Will’s Web Miscellany

Protecting yourself against the WordPress login page exploit

Posted on August 11th, 2009 Will 1 comment

Anyone that runs a wordpress blog will hopefully be aware of the recent exploit against the login page:

“You can abuse the password reset function, and bypass the first step and
then reset the admin password…”

and

“An attacker could exploit this vulnerability to compromise the admin
account of any wordpress/wordpress-mu <= 2.8.3″

There’s no fix in any released version yet but you can protect yourself with a bit of Apache config until one is released. Just add this to your wordpress virtualhost replacing “you.re.ip.add” with the IP address you want to access the login page from:

<Location /wp-login.php> Order deny,allow Deny from all Allow from you.re.ip.add </Location>

This will present any user not accessing your login page form that IP with a 403 Forbidden error. If you want to block all IPs until a fix comes out just miss out the Allow line:

<Location /wp-login.php> Order deny,allow Deny from all </Location>

Tech, Web, sysadmin exploit, security, wordpress
One response to “Protecting yourself against the WordPress login page exploit”
1. Carl Drinkwater August 20th, 2009 at 13:22
  
  I did the same, but I used “your.ip.add” instead.
Leave a reply

Name (required)

Mail (will not be published) (required)

Website

Calendar

Recent Articles

Links

Categories

29degrees (5)
Apple (5)
engineyard (4)
finder (7)
Food (1)
Friday Link-o-Rama (36)
Fun (1)
funpop (1)
games (1)
General (51)
Gimpu (3)
git (1)
iPhone (4)
Mac (5)
NWRUG (11)
overcycle (4)
Perl (3)
photography (1)
PHP (3)
Programming (40)
Rails (30)
rspec (1)
Ruby (42)
sysadmin (5)
Tech (26)
testing (1)
Uncategorized (8)
Web (62)

Meta